How Cyber Insurance Works

Cyber insurance enables businesses to mitigate the costs that arise from cyber incidents, including ransomware. This type of insurance is essential to any business – regardless of the size or industry.  A cyber incident ranges from unexpected email behaviours to full blown ransomware to financial fraud. Insurance companies want to know how prepared your business is against, and handle, such events.

To use the language of the insurance industry, in much the same way as commercial insurance transfers some of the financial risk associated with events like theft or errors & omissions to the insurer, cyber insurance transfers some of the financial risk associated with cyber events to the insurance company.

How cyber insurance costs are determined

Your risk profile determines how much coverage your business would need in the event of a cyber incident. Higher risk for the underwriter means higher premiums for the insured. There are a number of factors that impact the cost, including:

  1. Revenue

As of mid-2024, the minimum ransom demand in Canada is $100,000, regardless of the size of the victim organization. However, when cyber criminals are able to approximate a company’s revenue, the demand increases accordingly. In 2023, the average ransom demand ranged between 5-10% of revenue.

In others words, most companies with rover $2M revenue will have a ransom demand higher than $100K. Higher potential ransom demands translate to higher risk for insurers, and therefore higher premiums.

  • PII (Personally Identifiable Information)

A common question on insurance applications is some form of “How many PII  records does your company store?” According to the Canadian federal government, “personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

  • age, name, ID numbers, income, ethnic origin, or blood type;
  • opinions, evaluations, comments, social status, or disciplinary actions; and
  • employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).”

Higher numbers of PII records generally translates to higher risk for the underwriter.

  • 1st-party liability

First-party liability refers to the costs a company would directly incur to recover from an cyber incident. This could include costs such as incident response consulting, equipment replacement, business interruption, media relations, etc.

  • 3rd-party liability

Third-party liability refers to costs resulting from the insured company being held responsible for damages incurred by another party from the incident. For example, a company has information stored in the cloud. The cloud service provider gets breached and company information is stolen. The company didn’t actually have an incident – their supplier did. But the company will still be sued by their customers because customer information was leaked.

  • Cyber resilience

Cyber “resilience” is a relatively new term meant to be more wholistic than cyber “security”. Not only is it important to defend your company against cyber attacks, it’s equally important to prevent them in the first place, AND recover quickly.

Better cyber resilience for an organization means less risk for the underwriter, which helps to reduce insurance premiums.

  • And more…

The above factors cover some of the criteria involved in quantifying cyber risk. Every insurer has their own way of evaluating how much risk they would have by insuring a company.

Like most service industries, insurance brokers and agents are in business to help people and organizations. However, cyber insurance is relatively new and extremely complex. So, many insurance professionals want to help but are not able to effectively understand and quantify cyber risk. Therefore, they are stuck between “the proverbial rock and a hard place”. Meaning, they don’t want to leave their clients uninsured; but without decades of experience and supporting actuarial information (as is the case with home, life, auto, and commercial insurance) combined with the technical complexity of cyber crime, they often aren’t sure how to proceed and companies end up under-insured.

As an example, when we conducted a cyber insurance review for a client, we found that their policy limits were less than 10% of the potential costs involved in a breach. The client’s insurance agent had simply provided them a policy that was available from his firm. Let’s be clear: The agent didn’t do anything wrong! In fact, he helped his client immensely by putting something in place. But he was not provided with the same kind of support he had for every other type of insurance his firm sold; so he did what he was able to do. Nonetheless, his firm was not able to provide the level of cyber insurance the client needed, so we helped them obtain the correct amount of cyber insurance from another firm.

So, we created a free cyber liability calculator to help organizations understand how much cyber risk they have.

There are many ransomware-only calculators available on the Internet; but they don’t account for other liabilities (A/R fraud is a great example of overlooked cyber risk).

Stricter requirements are the new reality for coverage  

Now more than ever before, insurers are checking to make sure companies are properly securing their business. They are requiring more in-depth information about a company’s cyber policies, procedures, and practices; and if they can’t satisfy the greater level of scrutiny, they could face coverage issues (higher pricing, limited coverage, or be refused altogether).

This is a very serious reality for which most businesses are not equipping themselves; and is confirmed through a recent Wall Street Journal article, “Buying Cyber Insurance Gets Trickier As Attacks Proliferate, Costs Rise”.

“In the second quarter, U.S. cyber-insurance prices increased 79% from a year earlier, after more than doubling in each of the preceding two quarters, according to the Global Insurance Market Index from professional services firm Marsh &McLennan Cos.”

Common security practices required by insurance

All businesses are being forced to navigate some form of compliance to obtain cyber insurance or continue being covered at their next policy renewal (this is not as uncommon as you might think!). It includes measures across the physical, technical and administrative areas. The most common are:

  • IT Security Audit: Otherwise known as a cyber security assessment, this is a comprehensive review of the cyber security measures in place for your business.

    Basically, the underwriter needs to know some kind of cyber security assessment has been conducted. This could be an assessment by internal staff or by an external 3rd-party.

    Every business should conduct regular internal security assessments, either by staff or their outsourced security provider. Either way, this may or may not be the same department that provides IT services.

    Keep in mind that IT and cyber security are NOT the same thing. That would be like saying a window & door company is the same company that installs and monitors the alarm on those windows and doors.

    Nobody should check their own work; so we highly recommend that you have a qualified 3rd-party conduct the assessment. Birmingham Consulting is happy to be your first choice for a second opinion.
  • Multi-Factor Authentication (MFA): MFA is a login security strategy where an account user is required to have a secondary method of verifying their identity in addition to username and password. Not only do we recommend this as a simple way to improve security, it is now standard for insurers to require this in order to receive coverage.
    • Most secure:Biometric (face, fingerprint, etc)
    • Second most secure: Authenticator app (Duo, Authy, Google, etc)
    • Least secure: Text or email – these are the most easily intercepted by cyber criminals.
  • Disaster Recovery (DR) Plan: A formal document that contains detailed instructions on how to respond to major unplanned, disruptive events. Similar to an IRP, the DR plan goes a step further. What is the company’s plan to continue to operate if a major disaster were to occur?

    A good DR plan outlines steps for an organization to take when potentially catastrophic events like COVID take place. For example;
    • Pandemics
    • Fire, flooding, ice storms, and other natural disasters
    • Vandalism
    • Theft
  • Incident Response Procedure (IRP): An IRP is a written document outlining the steps to take when a cyber incident event occurs. Insurance providers want to know if your business is prepared to deal with events such as unexpected email behaviour, stolen equipment, or a ransomware attack.

    It’s important to note that IRPs must be tested on a regular basis. Effective testing will reveal any gaps that need to be addressed to improve the organization’s ability to respond. The normal method of testing an IRP is with a tabletop exercise – essentially a role play for executives and staff. Kind of like a fire drill for your cyber security, or what the military might call “wargames”.

As with factors contributing to cyber insurance premiums, criteria to qualify for cyber insurance is becoming more and more detailed. And it varies widely across insurers: we’ve seen simple 1-page questionnaires al the way to complex 10-page questionnaires.

Cyber attacks are growing more common and easier to execute, especially with the evolution of AI. Tools used to commit illicit acts are becoming cheaper and user-friendly. There’s even ransomware-as-a-service as a business model.

The City of Hamilton, the RCMP, Global Affairs Canada and Canada’s financial intelligence unit FINTRAC have all had high-profile cyber incidents since the start of 2024. There have been countless more in the private sector – and those are just the ones that made the news!

Last year, businesses in the manufacturing sector were targeted significantly more than other sectors with 47% of respondents saying they experienced an attack; followed by construction (38%) and healthcare + pharma sectors (35%). Interestingly, only 18% of organizations in the public sector have been impacted by ransomware. (Reference: Palo Alto Networks Canada, 2023)

Now that you know how cyber insurance works….

Insurance providers want to know that an organization can handle the circumstances surrounding an incident, from their ability to prevent an attack to their level of effectiveness in recovering from one. Cyber risk insurance allows businesses to reduce the expenses associated with cyber incidents.

Actioning a new cyber security policy or procedure can be an intense change for a company. Certainly, as an information security company, we’ve heard it all from our clients, as the demand for better security measures and protocols increases – which is not just to meet the risk of cyber-attacks, but also to be able to qualify for insurance coverage.

Failing to implement, maintain & adhere to cyber security measures are still the main reasons for denial of claims.  Coverage denial is no joke and could prevent a company from getting proper business insurance or at least increase their rates.

Birmingham Consulting is your source for cyber security expertise and can help identify where your business’ cyber security needs attention. If you are not 100% confident in your security systems, make Birmingham your first choice for a second opinion.